What is the sl(0) in DNS logs as host name?

Davood 21 Reputation points
2021-09-10T08:25:29.743+00:00

I was checking my DNS queries (with logs) and found that there is a lot of query as below with that Ip address but I can not understand why on port 80 and what is the (2)sl(0) as name/host name.

9/9/2021 7:43:24 AM 0CBC PACKET 00000000016E4F90 UDP Rcv 72.9.21.67 4567 Q [0001 D NOERROR] ALL (2)sl(0)
UDP question info at 00000000016E4F90
Socket = 336
Remote addr 72.9.21.67, port 80
Time Query=71848, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x001f (31)
Message:
XID 0x4567
Flags 0x0100
QR 0 (QUESTION)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 0
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 0
NSCOUNT 0
ARCOUNT 1
QUESTION SECTION:
Offset = 0x000c, RR count = 0
Name "(2)sl(0)"
QTYPE ALL (255)
QCLASS 1
ANSWER SECTION:
empty
AUTHORITY SECTION:
empty
ADDITIONAL SECTION:
Offset = 0x0014, RR count = 0
Name "(0)"
TYPE OPT (41)
CLASS 65535
TTL 0
DLEN 0
DATA
Buffer Size = 65535
Rcode Ext = 0
Rcode Full = 0
Version = 0
Flags = 0

Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,021 questions
0 comments
Accepted answer
  1. Limitless Technology 39,356 Reputation points
    2021-09-13T07:59:06.45+00:00

    Hello @Davood ,

    This is an external query to discover DNS query types with SL characters, this may have sense to you depending on the hostnames, address in your company.

    If not, this may be part of a range scan for vulnerabilities, so the best option will be to set firewall to block inbound requests of that type. You can easily set it up with Powershell, running the New-NetfirewallRule cmdlet. Here you have some examples:

    https://learn.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallrule?view=windowsserver2019-ps

    Hope this helps in your case,
    Best regards,

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marco Schiavon 711 Reputation points
    2021-09-10T09:46:25.68+00:00

    simply the fqdn requested..

    example:
    (12)somecomputer(6)domain(3)com(0)

    0=> .
    COM=>3 char
    DOMAIN=>6 char
    SOMECOMPUTER=>12 char

    in your case, (2)sl(0) :
    0=>.
    SL=>2 char

    see this.. : https://serverfault.com/questions/684782/whats-in-the-dns-debug-log-message-fields

  2. Marco Schiavon 711 Reputation points
    2021-09-10T09:57:19.02+00:00

    May be.. someone is asking to your DNS record type "ALL" with fqdn "SL".
    Could be "give me all you Source List" but the type "ALL" not exists in DNS (https://en.wikipedia.org/wiki/List_of_DNS_record_types) .
    So, probably, is some one or a something that is trying.... Create a roule in your firewall to deny source 72.9.21.67 to tcp/udp 53

    0 comments